Monitoring and Debugging Routers

Overview

Depending on the underlying implementation, you can monitor a running
router in multiple ways. This
topic discusses the HAProxy template router and the components to check to
ensure its health.

Viewing Statistics

The HAProxy router exposes a web listener for the HAProxy statistics. Enter the
router’s public IP address and the correctly configured port (1936 by default)
to view the statistics page. The administrator password and port are configured
during the router installation, but they
can be found by viewing the haproxy.config file on the container.

To view HAProxy router stats:

If needed, create the router
using --stats-port to expose statistics on the specified port:

For security purposes, the
oc exec command does not work when accessing privileged containers. Instead,
you can SSH into a node host, then use the docker exec command on the desired
container.

Disabling Statistics View

By default the HAProxy statistics are exposed on port 1936 (with a
password protected account). To disable exposing the HAProxy statistics,
specify 0 as the stats port number.

$ oc adm router hap --service-account=router --stats-port=0

Note: HAProxy will still collect and store statistics, it would just not
expose them via a web listener. You can still get access to the
statistics by sending a request to the HAProxy AF_UNIX socket inside
the HAProxy Router container.

For security purposes, the
oc exec command does not work when accessing privileged containers. Instead,
you can SSH into a node host, then use the docker exec command on the desired
container.

Viewing Logs

To view a router log, run the oc logs command on the pod. Since the router is
running as a plug-in process that manages the underlying implementation, the log
is for the plug-in, not the actual HAProxy log.

To view the logs generated by HAProxy, start a syslog server and pass the
location to a router pod using the following environment variables.

Table 1. Router Syslog Variables

Environment Variable

Description

ROUTER_SYSLOG_ADDRESS

The IP address of the syslog server. Port 514 is the default if no port is
specified.

ROUTER_LOG_LEVEL

Optional. Set to change the HAProxy log level. If not set, the default log
level is warning. This can be changed to any log level that HAProxy supports.

ROUTER_SYSLOG_FORMAT

Optional. Set to define customized HAProxy log format. This can be changed to
any log format string that HAProxy accepts.

Viewing the Router Internals

routes.json

Routes are processed by the HAProxy router, and are stored both in memory, on
disk, and in the HAProxy configuration file. The internal route representation,
which is passed to the template to generate the HAProxy configuration file, is
found in the /var/lib/haproxy/router/routes.json file. When
troubleshooting a routing issue, view this file to see the data being used to
drive configuration.

HAProxy configuration

You can find the HAProxy configuration and the backends that have been created
for specific routes in the /var/lib/haproxy/conf/haproxy.config file. The
mapping files are found in the same directory. The helper frontend and
backends use mapping files when mapping incoming requests to a backend.

Certificates

Certificates are stored in two places:

Certificates for edge terminated and re-encrypt terminated routes are stored
in the /var/lib/haproxy/router/certs directory.

Certificates that are used for connecting to backends for re-encrypt
terminated routes are stored in the /var/lib/haproxy/router/cacerts
directory.

The files are keyed by the namespace and name of the route. The key,
certificate, and CA certificate are concatenated into a single file. You can use
OpenSSL to view the contents of these files.